Mapping User Groups

The Map Groups section allows you to automatically assign groups from your IdP (Identity Provider) to the Infoblox Portal groups. Based on your business requirements, you can choose a desired region, such as the US (United States) or EU (European Union) region. Depending on the selected region, you can add IdP user groups or Azure group IDs and map them to the respective Infoblox Platform user groups. Group mapping also requires that a “groups” attribute to be sent to the SAML response from your IdP.  Ensure that you populate the “groups” attribute with the IdP user groups or Azure group IDs that are assigned to your IdP users.

When users sign in and are in the target IdP user group or Azure group ID, they will automatically be assigned the Infoblox Portal groups. If the user did not previously have a user account in the Infoblox Portal, they will automatically be created and assigned groups in your company's Infoblox Portal account.

To configure user mapping, complete the following:

1. Log in to the Infoblox SSO Portal at https://sso.infoblox.com/.
2. On the 3rd Party IDP page of the Infoblox SSO Portal, go to the Map Groups section.

3. From the Region drown-down menu, choose EU to map user groups in the EU region and choose US to do so in the US region. The SSO portal displays all regions by default.

4. In the respective region, click Add, and then enter the IdP group name or the Azure group ID in the text box:

   • IDP USER GROUP: For OKTA federation.

   • AZURE GROUP ID: For Azure AD federation

     Note: Ensure that you enter the IdP group name or Azure group ID you have configured in your SAML application. You can find the IdP group name/ID at your IdP. Azure AD will only send the groups’ Azure Group ID in the SAML Assertion. Therefore, IDP group names are not used when federating with Azure AD.

     The following restrictions apply to the IdP group names:

     • The name cannot be empty.
     • The length must be less than or equal to 253 characters.
     • Valid characters include the following: a-z, A-Z, 0-9, -, .
     • Must begin with an alphanumeric character.
     • Must end with an alphanumeric character.
       If your IdP group names do not meet the above restrictions, you will receive an error when you try to add the group mapping entries.
5. From the Infoblox USER GROUP drop-down list, choose the desired Infoblox User Group to map to the respective IdP user group or Azure group ID. You can also use the search option by entering the name of the Infoblox user group to find a match. Repeat this process for each IdP group or Azure group ID as necessary to create multiple mappings. You can map multiple IdP groups to a single Infoblox user group.
   For example, if you map an IdP user group "idp-group" to a Infoblox user group "ib-ddi-admin," any user who signs in to the Infoblox Portal and belongs to the "idp-group" group will automatically be added to the "ib-ddi-admin" group.
6. Click Save to save the mappings.
7. After you have configured the SAML application and mapped user groups, you can complete the following configuration:
   1. Testing 3rd Party IdP Authentication
   2. Activating 3rd Party IdP Authentication

   You can also perform the following after you set up 3rd party IdP authentication:

   • Deactivating 3rd Party IdP Authentication
   • Resetting 3rd Party IdP
   • Adding a Chiclet for IdP-initiated SSO (OKTA)
   • Adding an IdP Application to Microsoft Azure